Key Access

Key Access Component Card Set Configuration

During this phase of the Key Generation Ceremony, a new Key Access Component Card Set, commonly referred to as Operator Card Set, can be created and bound to a cryptographic device’s security infrastructure.

Depending on the organization preference and/or regulatory requirements, all of the generated keys (or alternatively only a specified subset of generated keys, subject to the type of CA that they will be assigned too) may require protection from unauthorized access and may also require encryption using an encryption key that is divided into a specified number of components. These are referred too as Secret Components and once created they are stored on Key Access Component Cards.

If you choose to protect any keys with a set of Key Access Component Cards, you will need to create the new Key Access Component Card Set using the features provided by your cryptographic device vendor (e.g. HSM or other device). This will usually require you to define the card set configuration, such as the total number of cards in a card set and a minimum number of cards required to access the key (if you enable this option), to recover any lost card of the card set (if you enable this option), to recover lost PIN codes, that protect access to each card (if you enable this option) and finally - to recover a private key itself (if you enable this option).

Before a card set can be created, a sufficient number of Card Holders, that is individual persons holding the Key Access Component Holder responsibilities, should be appointed and attend the ceremony. Choose your Card Holders carefully and wisely and ensure they meet Trusted Employee requirements and other personnel related policies within you or your customer’s organization.

Each Card Holder, will need to be supplied with a special smart card, provided by the cryptographic device vendor. During the process of creation of a new Key Access Component Card Set, each Card Holder will be requested to insert the card into the smart card reader interface connected directly to the cryptographic device and enter and confirm a new PIN code they wish to protect their cards with. They must memorize their PIN codes and also store these securely in a well protected place such as safe. Before the process is completed, the Key Ceremony Administrator will also need to enter a Name for the newly generated card set in order to be able to identify it when the particular card set is needed in future use.

Upon successful creation of the new Key Access Component Card Set, the event should be documented in the Key Ceremony Notes Document, that should clearly display the Name assigned to the new Key Access Component Card Set, full name of each Card Holder, their personal details allowing the company, for which the keys are generated for, to easily contact each Card Holder when needed, and finally - the serial numbers of the smart cards they hold. The Key Ceremony Administrator should also ensure, that each Card Holder signs a dedicated Key Access Component Holder Document (a separate document for each Card Holder), which lists all of the Cart Holder responsibilities, their personal details and the Serial Number of the Key Access Component Card they hold.